Orion Poplawski wrote:
On 02/19/2013 03:10 PM, Simo Sorce wrote:
On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
This is a followup to some previous discussions. I have been
lobbying to keep
(and fix) the ability to install your own certificates when
configuring IPA in
order to make use of wildcard SSL certificates. But it seems this
will not be
the case. My last post on this went unanswered and I see tickets for
the
removal going forward.
As I understand it though, I'll still be able to generate a CSR for
the server
and get it signed by and external CA? If this is the case, I guess
this extra
expense of individual SSL certificates for the various IPA servers
could be
acceptable, although unfortunate as this is what we had hoped to
avoid with
the wildcard cert.
Finally, there was mention of the possibility of getting the IPA CA
signed by
an external authority. Just to let everyone know, this is a very
expensive
proposition. I was quoted a $22,500 start fee plus licensing costs.
This is
*way* out of our (and I suspect many other small businesses) price
range.
Why would you need to get your CA signed by a public authority ?
When we say external we generally think of another "Internal CA" that
you already use for your own services.
Simo.
https://www.redhat.com/archives/freeipa-users/2013-January/msg00216.html
The problems with this are:
- Only a very small handful of people actually use this (or used it).
- We don't test this (obviously) and there are a lot of bugs and corner
cases
- Even if we do fix it, we likely still won't test it very often,
leading to more woes
- This will blow up at cert renewal time
- There is still an underlying CA hidden in there, doing nothing (but
perhaps cause problems)
- If you want to support FF < 15 you need an object signing cert too to
sign the auto-configure jar
A far better solution than replacing the certificates post-install is to
have an option to have a CA-less IPA installation. I doubt we'd actively
work on adding such an option. But it would likely be a lot more robust
than changing things after-the-fact.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
